Malware's Most Wanted: Financial Trojans

Knowing Your EnemyWhat Makes A Trojan Financial?

Your speakers today

Nick Bilogorskiy@belogor

Director of Security Research

Shel SharmaProduct Marketing Director

Agenda

o What makes a Trojan Financialo Financial Trojans countdowno Wrap-up and Q&A

Cyph

ort L

abs

T-sh

irt

Threat Monitoring & Research team

________

24X7 monitoring for malware events

________

Assist customers with their Forensics and Incident Response

We enhance malware detection accuracy

________

False positives/negatives

________

Deep-dive research

We work with the security ecosystem

________

Contribute to and learn from malware KB

________

Best of 3rd Party threat data

What makes a Trojan Financial

o What they try to get:o Direct collection theft of credit cardso Collect of credentials for online fraudo Fake bank communicationo Direct control over bank transfer system

o How sophisticated they are:o Man-in-the browser: webinjectso Evasion, armoring, anti-analysiso Configuration file for targetso Encrypted Command-and-Control and DGA

Shylock

Aka CaphawEnemy #8

Shylock Trojan

o First seen: 2011o Target: European banks, especially UKo Distribution: Blackhole, Cool, Magnitude,

Nuclear, and Styx Exploit Kits, spam, malvertising via Youtube ads, Skype.

o Value Stolen: several million dollarso Infected Users: 60,000 (Symantec)o Actors: in Russia or Eastern Europe

Shylock features

o Steals financial info via man-in-the-browsero Injects itself in svchost and explorer, uses bootkito VNC module to control user machineo Spreads through skype

Bebloh

Aka URLzoneenemy#7

Bebloh Trojan

o First seen: 2009o Target: Western Europe banks (most in Germany)o Distribution: LuckySploit Kit, Spam mailso Value Stolen: $7.3 Million dollars annually (just one gang)o Infected Users: less than 30,000 (Source: Symantec)

Bebloh: PDF exploit

Bebloh Features

o Forces use of Internet Explorero Disables use of a proxyo Monitors access of certain online banking siteso AV Evasiono Encrypted config file

Bebloh Trojan

o C&C comm

o DecryptedConfig file

Bebloh: AV evasion

Vawtrak

Aka Snifula, Neverquest, Paprasenemy #6

Vawtrak Trojan

o First seen: August 2013o Target: North American bankso Distribution: Angler Kit, Kuluoz spam, Chanitor

downloadero Value Stolen: $24 Million dollars (RT)o Infected Users: about 100,000o Actors: Russian Neverquest Vawtrak crew,

vorVzakone – Oleg Tolstykh (phishlabs)

Vawtrak Trojan

AVG

Vawtrak features

o Vawtrak CNC process is complex and well-hidden. The update servers are hosted on the Tor hidden Web services, and communication is done over SSL. Communication is done only while the user is browsing the Internet (i.e. while a browser produces a network traffic).

o The command and control center of the attack is located in Russia

o Furthermore, Vawtrak uses steganography by hiding the update lists inside favicons 4 kB favicon image files, carrying data in the least significant bits!

Dridex

Aka Cridex, Bugatenemy #5

Dridex Trojan

o First seen: Nov 2014o Target: North American and European Bankso Distribution: Spam mails with Word Documentso Infected Users: about 29,000 (Symantec)

Dridex features

o Some version use p2p over http for carrying out botnet communication

o Uses web injects to carry out man-in-browser attacko Uses VNCo Can act as RAT tool unlike other banking Trojano Uses XML based config file

Dyre

Aka Dyrezaenemy #4

Dyre Trojan

o First seen: 2014o Target: North American Corporate Banks o Distribution: Spam mails, by Upatre and Cutwail botnets, RIG

exploit kit.o Value Stolen: over $1 million dollars (IBM)o Infected Users: 90,000+ (Symantec)o Actors: Eastern Europe

Dyre Wolf gang (FBI)

Dyre Trojan

www.blueliv.comBlueliv.com

Dyre features

o Uses man-in-the-browser attacko Browser Snapshot, can take pictures and grab credentials. o Adds extra text fields required for accessing the account o Uses SSL, DGA algorithm, 1000 domains each day for CNCo THE PHONE CALL –ADVANCED SOCIAL ENGINEERINGo To hide its backend infrastructure, Dyre deploys a set of proxy

servers that act as C2 servers.

SpyEye

Enemy #3

SpyEyeo First seen: 2009o Target: Mostly USo Distribution: sold as a toolkit ranging from $500 to $8,500 depending on the plugin.

Most bot arrives through spam mails. o Value Stolen: tens of millions of dollars (infosecurity-magazine.com)o Infected Users: 1.4 million (FBI)

o Actor: Aleksander Panin a.k.a Gribodemon or Harderman, arrested in June 2013

SpyEye

SpyEye features

o Uses man-in-the-browser attack o Configuration file is saved in encrypted format. o Browser Snapshot, can take pictures and grab credentials. o Only activates when the user is browsing the bank’s website o Updates itselfo Injects into explorer.exe

Source: http://www.xylibox.com/

Zeus

Enemy #2

32

ZEUS What is ito First seen: 2007o Target: All financial

institutionso Distribution: drive by

downloads, spamo Value Stolen: $100 Million

dollars (FBI)o Infected Users: 4 Million+o Actors: Russian Evgeniy

Bogachev

ZEUS Actors

Evgeniy Bogachev, 30, of Anapa, Russia.nickname “Slavik” Gameover Zeus ringleader

Hamza Bendelladj, 24, Algeriannickname “Bx1” BotmasterArrested and extradited in 2013

o Steganography o Rootkito Anti-Debuggingo Digital signatureso Modular. Flexible. Persistent.

ZEUS Advanced tricks

Carbanak

Aka Anunakenemy #1

Carbanak Trojan

o First seen: February 2015o Target: Russia, followed by the United States, Germany,

China and Ukraine o Distribution: targeted phishing emailso Value Stolen: $1 Billion dollarso Infected Users: only a thousand private customerso Actors: China or Russia

Carbanak Trojan

Carbanak features

o APT TTP. A backdoor based on the Carberp malicious code. o Evasion – anti-VM, sleeping, anti-debuggingo moved laterally to infiltrate administrator machines and

observed cash transfer patternso Steals from banks directly, not from userso ATMs were instructed to dispense cash for money muleso Manipulating account balances

Trojans map

Vawtrak Dyre

Carbanak

USA

UK

Germany

Russia

China

SpyEye

Bebloh

Shylock

Conclusions

o Continued activity targeting individuals using more sophisticated Trojans,

o Increased ransomware with blackmail tactics for extortion,

o Increased campaigns and malware targeting banks and clearing houses themselves

Q and A

Previous MMW slides on

www.slideshare.net/Cyphort/

Thank You!Twitter: @belogor